SecurityFocus Linux Newsletter #114

SecurityFocus Linux Newsletter #114

This issue is sponsored by: Qualys

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php

I. FRONT AND CENTER

1. Instant Insecurity: Security Issues of Instant Messaging
2. Intelligence Gathering: Watching a Honeypot at Work
3. Closing the Floodgates: DDoS Mitigation Techniques
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando,FL) II. LINUX VULNERABILITY SUMMARY
6. DCP-Portal Remote File Include Vulnerability
7. CGIHTML Form Data File Corruption Vulnerability
8. Horde IMP Database Files SQL Injection Vulnerabilities
9. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities
10. myPHPNuke Information Disclosure Vulnerability
11. CommuniGate Pro Webmail File Disclosure Vulnerability
12. CGIHTML Insecure Form-Data Temporary File Vulnerability
13. H-Sphere Webshell Remote Buffer Overrun Vulnerability
14. AJ's Internet Cafe World-Writeable Files Vulnerability
15. Half-Life HLTV Remote Denial Of Service Vulnerability
16. Active PHP Bookmarks Multiple File Include Vulnerabilities
17. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities
18. Mambo Site Server Arbitrary File Upload Vulnerability
19. Multiple Vendor Network Device Driver Frame Padding...
20. H-Sphere Webshell Command.C Mode URI Parameter Command...
21. H-Sphere Webshell diskusage.cc Buffer Overflow Vulnerability
22. myPHPNuke Default_Theme Cross Site Scripting Vulnerability
23. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox...
24. S8Forum Remote Command Execution Vulnerability
25. FormMail Cross-Site Scripting Vulnerability
26. Middleman net_dns() Frame Pointer Overwrite Vulnerability
27. Bea Systems WebLogic ResourceAllocationException System...
28. DCP-Portal Unauthorized Account Access Vulnerability
29. H-Sphere Webshell flist() Buffer Overflow Vulnerability
30. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command...
31. GeneWeb File Disclosure Vulnerability
32. cgihtml Signed Integer Content-Length Memory Corruption...
33. TANne Session Manager SysLog Format String Vulnerability
34. cgihtml Denial Of Service Vulnerability III. LINUX FOCUS LIST SUMMARY
35. NO NEW POSTS FOR THE WEEK ENDING 01.10.03 IV. NEW PRODUCTS FOR LINUX PLATFORM
36. FireWall Suite
37. NetVigil
38. P-Synch Total Password Management Solution
39. NEW TOOLS FOR LINUX PLATFORMS
40. RSA implementation in Octave v0.01
41. e2undel v0.81
42. RSA encrypting tool v0.11 VI. SPONSOR INFORMATION
43. FRONT AND CENTER

    ---

44. Instant Insecurity: Security Issues of Instant Messaging By Neal Hindocha

Instant messaging services are becoming an increasingly popular form of communication, both in the personal and the professional spheres. This paper will describe instant messaging and offer a brief overview of some of the security threats associated with the service.

http://online.securityfocus.com/infocus/1657

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

2. Intelligence Gathering: Watching a Honeypot at Work By Toby Miller

The purpose of this article is share with the security community the data the author collected from his honeypot. This discussion will include the attacker's recon, the attack, the attempted cover-up, and the reason for the attack on the honeypot.

http://online.securityfocus.com/infocus/1656

3. Closing the Floodgates: DDoS Mitigation Techniques by Matthew Tanase

To be on the receiving end of a distributed denial of service (DDoS) attack is a nightmare scenario for any network administrator, security specialist or access provider. It begins instantly, without warning, and continues relentlessly: machines down, jammed bandwidth, overloaded routers. An effective, immediate response is often difficult and may depend on third parties, such as ISPs. With these challenges in mind, this article will explore some techniques that systems administrators and security professionals can employ should they ever find themselves in this rather undesirable situation.

http://online.securityfocus.com/infocus/1655

4. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

1. DCP-Portal Remote File Include Vulnerability BugTraq ID: 6525 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6525 Summary:

DCP-Portal is a freely available content management system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux variants.

DCP-Portal is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in the 'library/editor/editor.php' and 'library/lib.php' scripts included with DCP-Portal.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the '$root' parameter.

If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known whether earlier versions are affected.

2. CGIHTML Form Data File Corruption Vulnerability BugTraq ID: 6550
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6550
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. The software uses the client supplied filename when creating the temporary file. If the attacker supplies a malicious filename, such as one pre-pended with dot-dot-slash (../) directory traversal sequences, it may be possible to corrupt files outside of the specified temporary directory.

The cause of this issue trust in user-supplied input. The routines use a client-supplied filenames when creating temporary file. The routines then do not sufficiently validate that the filename does not contain directory traversal sequences or has a name that may conflict with existing system files.

For this attack to be successful, the targetted files must be writeable by a server process that utilizes the vulnerable cgihtml routines.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

3. Horde IMP Database Files SQL Injection Vulnerabilities BugTraq ID: 6559
Remote: Yes
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6559
Summary:

IMP is a web-based mail interface/client developed by members of the Horde project. It is implemented in PHP and runs on a number of operating systems, including Unix and Linux variants and Microsoft Windows operating systems.

It has been reported that IMP is prone to multiple SQL injection vulnerabilities.

IMP, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database. Consequences will vary depending on the queries used and the capabilities of the underlying database implementation.

These issues occur throughout the database command files for different database implementations, for example 'lib/db.pgsql'. These files contain syntax for constructing queries with using database implementations.

SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.

4. HTTP Fetcher Library Multiple Buffer Overflow Vulnerabilities BugTraq ID: 6531
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6531
Summary:

HTTP Fetcher is a small library used for downloading files via HTTP using the GET method. It is available for various platforms including the Linux and Unix operating systems.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Multiple buffer overflows have been discovered in HTTP Fetcher. The vulnerabilities occur in the http_fetch() function which is used to gather various HTTP header information. These buffer overflow occurs due to insufficient bounds checking of user-supplied parameters.

It is possible to trigger these conditions by supplying excessive data as the 'host', 'referer', or 'userAgent' parameters. By exploiting one of these issues to overrun 'requestBuf', it may be possible for a remote attacker to overwrite sensitive memory.

Successful exploitation of one of these vulnerabilities may allow an attacker to seize control of an application linked to the library. By overwriting the function's instruction pointer it may be possible to execute arbitrary commands.

The exploitability of this issue may be an issue only if the client application were accessible remotely through a proxy server. For instance, a server which allowed a client to make GET requests from other servers.

5. myPHPNuke Information Disclosure Vulnerability BugTraq ID: 6541
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6541
Summary:

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux and Microsoft Windows operatining system.

An information disclosure vulnerability has been reported for myPHPNuke. The vulnerability exists due to insufficient checks performed in the system_footer.php script file. Specifically, the system_footer.php script, found in the 'admin/' subdirectory, calls the phpinfo() function without checking who the user is.

An attacker can exploit this vulnerability by making a request for the system_footer.php script. The system will respond by disclosing information to a remote attacker.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Information obtained in this manner may be used by an attacker to launch attacks against a vulnerable system.

6. CommuniGate Pro Webmail File Disclosure Vulnerability BugTraq ID: 6542
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6542
Summary:

CommuniGate Pro is an internet messaging server. CommuniGate Pro includes a webmail service to allow access to mailboxes via HTTP. It is available for a number of platforms including Unix and Linux variants and Microsoft Windows operating systems.

A file disclosure vulnerability has been reported in the CommuniGate Pro webmail component.

A specially crafted web request containing dot-dot-slash (../) directory traversal sequences may break out of the document root and disclose arbitrary web server readable files that exist on the underlying host.

Exploitation of this vulnerability may lead to disclosure of sensitive information that may be useful in mounting further attacks on the host system. The impact of this vulnerability is compounded by the fact that CommuniGate Pro runs as root by default, though may be configured to drop privileges. This issue was reported for CommuniGate Pro on FreeBSD. It is likely that the software is affected on other platforms as well.

7. CGIHTML Insecure Form-Data Temporary File Vulnerability BugTraq ID: 6552
Remote: No
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6552
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When handling uploaded form-data, cgihtml creates a temporary file to store this data in /tmp or another user-specified directory. A client supplied filename is used when the temporary file is created. This presents a security vulnerability since the name of the temporary file can be anticipated by the attacker.

A local attacker may take advantage of this condition to create a symbolic link in place of the temporary file, which points to another file on the system which is writeable by a server process which utilizes the vulnerable routines. The vulnerable routines will follow any symbolic links provided in place of a temporary file. The attacker may then submit a malicious form-data upload, using the attacker-supplied filename, and cause local files to be corrupted.

If custom data can be written to files, it is possible to gain elevated privileges.

8. H-Sphere Webshell Remote Buffer Overrun Vulnerability BugTraq ID: 6527
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6527
Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

A vulnerability has been discovered in H-Sphere Webshell. The problem occurs during the pre-authentication phase. Due to insufficient bounds checking on user-supplied HTTP parameters, it is possible for a remote attacker to cause a buffer to be overrun

The vulnerability occurs in the CGI::readFile() function and can be triggered by passing the target server an HTTP Content-Type 'boundary' parameter of excessive length.

Successful exploitation of this issue would allow an attacker to overwrite the vulnerable functions instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

9. AJ's Internet Cafe World-Writeable Files Vulnerability BugTraq ID: 6560
Remote: No
Date Published: Jan 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6560
Summary:

AJ's Internet Cafe is a freely available internet cafe software package for use with the Linux Thin Client Project software. A problem with AJ's Internet Cafe may allow unauthorized write access to files.

It has been reported that AJ's Internet Cafe installs with insecure permissions. By default, many files installed with the package are world-writeable. This may allow users to modify the contents to gain free time on the host, or perform other malicious activities.

1. Half-Life HLTV Remote Denial Of Service Vulnerability BugTraq ID: 6579 Remote: Yes Date Published: Jan 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6579 Summary:

Half-Life is commercially available game which may be played over a network. HLTV is the Half-Life TV component of the Half-Life Dedicated Server (hlds). It is available for the Linux operating system.

A problem with HLTV could make it possible for a remote user to deny service to legitimate users.

It has been reported that under some circumstances, a remote user may cause the service to crash. By sending a specially crafted packet to the host, the service becomes unstable. The service must be manually restarted to resume normal operation.

The problem is in the handling of specific types of requests from clients. When an HLTV server receives a request of the string '\xff\xff\xff\xff\0' the server crashes. It is not know what impact this has on the operation of the game server.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Versions other than hlds 3.1.1.0 may also be affected.

1. Active PHP Bookmarks Multiple File Include Vulnerabilities BugTraq ID: 6545 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6545 Summary:

Active PHP Bookmarks (APB) is a web-based application for managing a collection of bookmarks. APB is available for Unix and Linux variants as well as Microsoft Windows operating systems.

APB is prone to multiple issues which may allow a remote attacker to cause a malicious external file to be included and interpreted.

Attackers may influence include paths for a number of APB scripts. By specifying a path to a resource (such as a malicious PHP script) on a remote attacker-controlled server, it is possible to cause arbitrary commands to be executed with the privileges of the webserver process.

This issue is known to exist in the following scripts:

head.php
apb_common.php
apb_view_class.php

1. Mambo Site Server Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 6571 Remote: Yes Date Published: Jan 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6571 Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

Mambo Site Server does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. All code will be executed within the context of the website running Mambo Site Server.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The following files were reported to be prone to cross site scripting attacks:

administrator/popups/sectionswindow.php
administrator/gallery/gallery.php
administrator/gallery/navigation.php
administrator/gallery/uploadimage.php
administrator/gallery/view.php
administrator/upload.php

emailfriend/emailarticle.php
emailfriend/emailfaq.php
emailfriend/emailnews.php

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials.

This vulnerability was reported for Mambo Site Server 4.0.12 BETA and earlier.

1. Mambo Site Server Arbitrary File Upload Vulnerability BugTraq ID: 6572 Remote: Yes Date Published: Jan 10 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6572 Summary:

Mambo Site Server is a freely available, open source web content management tool. It is written in PHP, and available for Unix, Linux, and Microsoft Windows operating systems.

A problem with Mambo Site Server may make it possible for remote attackers to upload files to a vulnerable system.

Due to inadequate security checks performed by some PHP scripts, an attacker is able to upload arbitrary files to the system. The following scripts have been reported to be vulnerable to this issue: administrator/gallery/uploadimage.php
administrator/upload.php
upload.php

Specifically, the scripts only check to see whether certain image extensions, such as '.jpg' and '.gif', exist in the filename. As such any file that includes the allowed extensions may be uploaded. Any uploaded files will be stored in the 'images/stories' directory on the system.

Given the ability to upload arbitrary files to the host, an attacker can exploit this vulnerability to upload malicious applications to the vulnerable system or use the system for the storage of files.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This vulnerability was reported for Mambo Site Server 4.0.12 BETA and earlier.

1. Multiple Vendor Network Device Driver Frame Padding Information Disclosure Vulnerability BugTraq ID: 6535 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6535 Summary:

Network device drivers for several vendors have been reported to disclose potentially sensitive information to attackers.

Frames that are smaller than the minimum frame size should have the unused portion of the frame buffer padded with null (or other) bytes. Some device drivers do not do this adequately, leaving the data that was stored in the memory comprising the buffer prior to its use intact. Consequently, this data may be transmitted within frames across ethernet segments. As the ethernet frame buffer is allocated in kernel memory space, sensitive data may be leaked.

An attacker can exploit this vulnerability by sending a simple ICMP packet to a vulnerable machine. A response to such a query will involve a packet that has been padded to a sufficient length. It may be that the information that is padded is of a sensitive nature. An attacker may use the information obtained in this manner to launch other attacks against a vulnerable system.

This vulnerability has been reported to affect the atp.c, axnet_cs.c, xirc2ps_cs.c and the rtl8139.c network device drivers for Linux variant systems. Older NetApp systems using the 'Gigabit Ethernet Controller I' are vulnerable to this issue.

Cisco has stated that the IOS 12.1 and 12.2 trains are not affected.

1. H-Sphere Webshell Command.C Mode URI Parameter Command Execution Vulnerability BugTraq ID: 6537 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6537 Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

The H-Sphere Webshell component is prone to a remote command execution vulnerability.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This issue exists in the 'command.C' source file and is due to insufficient validation of input supplied via the 'mode' URI parameter. It is possible for a remote attacker to supply shell commands via this URI parameter, which will be executed with the privileges of Webshell.

Exploitation of this vulnerability will allow the attacker to gain interactive and possibly privileged access to the underlying host.

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

1. H-Sphere Webshell diskusage.cc Buffer Overflow Vulnerability BugTraq ID: 6540 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6540 Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

A vulnerability has been discovered in H-Sphere Webshell. The problem occurs due to insufficient bounds checking on user-supplied values.

The vulnerability occurs in the diskusage.cc file and can be triggered by passing the target server an value of excessive length, of greater than 1024 characters, for the 'path' variable.

Successful exploitation of this issue may allow an attacker to overwrite the vulnerable functions instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

1. myPHPNuke Default_Theme Cross Site Scripting Vulnerability BugTraq ID: 6544 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6544 Summary:

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux and Microsoft Windows operating systems.

Reportedly, myPHPNuke does not adequately filter HTML code thus making it prone to cross-site scripting attacks. It is possible for a remote attacker to create a malicious link containing script code which will be executed in the browser of a legitimate user. All code will be executed within the context of the website running myPHPNuke.

The vulnerability exists in the chatheader.php and partner.php script files included with myPHPNuke. Specifically, malicious HTML code is not properly sanitized from the value for the 'Default_Theme' URI parameter.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may hijack the session of the legitimate by using cookie-based authentication credentials.

This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier.

1. Macromedia ColdFusion MX CFInclude And CFModule Tag Sandbox Escaping Vulnerability BugTraq ID: 6566 Remote: Yes Date Published: Jan 09 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6566 Summary:

ColdFusion MX Enterprise Edition is the application server developing and hosting infrastructure distributed by Macromedia. It is available as a standalone product for Unix, Linux, and Microsoft Operating Systems.

A problem with ColdFusion MX Enterprise Edition may allow users to access restricted files.

A vulnerability in the use of the cfinclude and cfmodule Tags exists in ColdFusion MX. In environments that are sandboxed, it may be possible for a script to access files outside of the sandboxed directory. This could lead to unauthorized access to files on the host.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The problem is in the handling of relative paths. Due to insufficient checking of input in custom tags, it is possible to upload a file using custom tags and containing relative paths that will access files outside of a sandboxed directory. This could allow an attacker to access unauthorized and potentially sensitive information.

It should be noted that this vulnerability will only reveal the contents of files to which the ColdFusion server has read access to.

1. S8Forum Remote Command Execution Vulnerability BugTraq ID: 6547 Remote: Yes Date Published: Jan 06 2003 12:00AM Relevant URL: http://www.securityfocus.com/bid/6547 Summary:

S8Forum is web forum software. It employs a local flat-file database for storing user information. It is available for Unix and Linux variants as well as Microsoft Windows operating systems.

S8Forum is prone to a remote command execution vulnerability.

When a user registers with the forum, a file is created locally with the specified username. The contents of this file will be the data entered by the user. As a result, a malicious user could create a file with an arbitrary name and PHP (.php) extension that contains valid PHP code. The attacker may then cause this file to be executed by requesting it via HTTP. This may result in execution of arbitrary commands with the privileges of the webserver process. An attacker may exploit this condition to gain local, interactive access to the system hosting the vulnerable software.

20. FormMail Cross-Site Scripting Vulnerability BugTraq ID: 6570
Remote: Yes
Date Published: Jan 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6570
Summary:

FormMail is a web-based e-mail gateway, which allows form-based input to be emailed to a specified user. It is written in Perl and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

FormMail is allegedly prone to cross-site scripting attacks.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The FormMail script does not sufficiently sanitize HTML tags and script code from query strings, which in turn are output into pages generated by the software. As a result, a remote attacker may construct a malicious link to the script which contains arbitrary script code. If this link is visited by a web user, the attacker-supplied script code may be interpreted by their browser in the context of the site hosting the software.

This may allow an attacker to steal cookie-based authentication credentials or manipulate web content. Other attacks are also possible.

This issue was reported in FormMail 1.92. Other versions may also be affected.

21. Middleman net_dns() Frame Pointer Overwrite Vulnerability BugTraq ID: 6584
Remote: Yes
Date Published: Jan 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6584
Summary:

Middleman is an HTTP/1.1 proxy server. It is available for the Linux and Unix operating systems.

A vulnerability has been discovered in Middleman. The problem occurs when the net_dns() function calls s_strncpy() during a DNS lookup of the request server hostname. The s_strncpy() function is a wrapper for strncpy(), designed to NULL terminate all copied strings. When the s_strncpy() function is called on the requested host name of 128 bytes, a NULL byte may be written to the least significant byte (LSB) of the functions frame pointer (EBP). This issue occurs due to an incorrect length parameter passed to s_strncpy().

Overwriting the least significant bit of EBP with a NULL byte may allow an attacker to point the variable into user-supplied data. As EBP is copied to the frames stack pointer (ESP), an attacker may trick the program into referencing a malicious address as an instruction pointer. This will allow an attacker to execute arbitrary commands with the privileges of the vulnerable server, possibly root.

It should be noted that this issue may not occur on all systems. The existance of this vulnerability may be highly dependant on compiler optimization.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

22. Bea Systems WebLogic ResourceAllocationException System Password Disclosure Vulnerability BugTraq ID: 6586
Remote: Yes
Date Published: Jan 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6586
Summary:

BEA Systems WebLogic Server is an enterprise level web and wireless application server for Microsoft Windows and most Unix and Linux distributions.

A vulnerability in BEA Systems WebLogic Server may, under some circumstances, result in the disclosure of system passwords if exceptions are output.

BEA Systems has reported that WebLogic Server will throw an exception when an application attempts to route a JMS message across a bridge and an error occurs. This exception will include the supplied system password, in plaintext.

Applications that output exceptions may inadvertently disclose password values. This may ultimately result in a remote party gaining access to affected systems.

23. DCP-Portal Unauthorized Account Access Vulnerability BugTraq ID: 6526
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6526
Summary:

DCP-Portal is a freely available content management system implemented in PHP. It is available for a variety of platforms including Microsoft Windows and Linux variants.

DCP-Portal does not sufficiently sanitize user-supplied input for URI parameters.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

An attacker can exploit this vulnerability by supplying values for the 'dcp5_member_admin' or 'dcp5_member_id' parameters with the appropriate values. This will allow an attacker to obtain access to user accounts on the vulnerable site hosting DCP-Portal.

This vulnerability was reported for DCP-Portal 5.0.1. It is not known whether earlier versions are affected.

24. H-Sphere Webshell flist() Buffer Overflow Vulnerability BugTraq ID: 6538
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6538
Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

A remotely exploitable vulnerability has been discovered in H-Sphere. The problem occurs in the flist() function used by the WebShell component. By making a request for a directory name of excessive length, it may be possible to overrun a buffer.

By exploiting this issue to overwrite sensitive locations in memory a remote attacker would be able to control the program and possibly execute arbitrary instructions.

25. H-Sphere Webshell Command2.CC Zipfile URI Parameter Command Execution Vulnerability BugTraq ID: 6539
Remote: Yes
Date Published: Jan 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6539
Summary:

H-Sphere is a multiserver web hosting application. H-Sphere ships with WebShell, a component designed to be a file manager for uploading downloading files via FTP. H-Sphere is available for the Windows, Linux, and Unix operating systems.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The H-Sphere Webshell component is prone to a remote command execution vulnerability.

This issue exists in the 'command2.CC' source file and is due to insufficient validation of input supplied via the 'zipfile' URI parameter. It is possible for a remote attacker to supply shell commands via this URI parameter, which will be executed with the privileges of Webshell.

Exploitation of this vulnerability will allow the attacker to gain interactive and possibly privileged access to the underlying host.

It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.

26. GeneWeb File Disclosure Vulnerability BugTraq ID: 6549
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6549
Summary:

GeneWeb is Web based genealogy software. It is available for a variety of platforms including Linux variant operating systems.

A file disclosure vulnerability has been reported for GeneWeb. Reportedly, GeneWeb does not adequately sanitize some input.

An attacker can exploit this vulnerability to craft a specially formed URL that can cause geneweb to disclose the contents of arbitrary files on the vulnerable system.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Although unconfirmed, it is likely that an attacker can construct a URL consisting of dot-dot-slash (../) character sequences to obtain access to files outside of the document root. It should be noted that only files accessible by the geneweb server will be disclosed to the attacker.

Exploitation of this vulnerability may lead to disclosure of sensitive information that may be useful in mounting further attacks on the host system.

This vulnerability affects GeneWeb versions 4.0.8 and earlier.

27. cgihtml Signed Integer Content-Length Memory Corruption Vulnerability BugTraq ID: 6551
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6551
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

A vulnerability has been discovered in cgihtml which may result in memory corruption. The problem occurs when reading a user-supplied Content-Length value for POST data.

An attacker is able to create a situation where memory may be overwritten by passing a negative length as the Content-Length value in a POST request. By passing excessive POST data it is possible for the attacker to overrun the allocated buffer, effectively overwriting heap memory. This may cause the affected program to crash.

Although not yet confirmed, it may be possible to exploit this vulnerability to execute arbitrary code. Placing a malicious malloc header in heap memory may potentially allow an attacker to overwrite a GOT address to point to shellcode.

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

28. TANne Session Manager SysLog Format String Vulnerability BugTraq ID: 6553
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6553
Summary:

TANne is a freely available, open source session management package. It is available for Unix and Linux operating systems.

A problem with TANne may make it possible to execute arbitrary code.

Due to programming error, it may be possible to exploit a format string vulnerability. A logging function in the TANne program contains insecure syslog() calls. This could result in the execution of attacker-supplied code.

The problem is the in two syslog() calls in the netzio.c source file. When the program is invoked using the vulnerable function, it may be possible to exploit a format string vulnerability through the generation of a malicious log event which contains attacker-supplied format strings. In the event that this vulnerability is exploited, an attacker could cause arbitrary locations in memory to be corrupted with attacker-specified data and execute code with the privileges of the TANne user.

29. cgihtml Denial Of Service Vulnerability BugTraq ID: 6555
Remote: Yes
Date Published: Jan 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6555
Summary:

cgihtml is a series of CGI and HTML routines, implemented in C. It can be run on a number of platforms, including Unix and Linux variants and Microsoft Windows.

A vulnerability has been discovered in cgihtml when processing Multipart HTTP headers. It has been reported that, when processing a multipart header, cgihtml fails to sufficiently verify the sanity of the header structure. This may result in an affected application reading invalid values supplied 38 bytes within a malicious header.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If this situation were to occur it may be possible for the attacker to cause the application to crash. Although it has not yet been confirmed, it is speculated that cgihtml contains other vulnerabilities similar to this issue.

III. LINUX FOCUS LIST SUMMARY

1. NO NEW POSTS FOR THE WEEK ENDING 01.10.03

1. FireWall Suite by Cybernet Systems Platforms: FreeBSD, Linux, MacOS, Windows NT http://www.netmax.com/products/secure_prods.html Summary:

The NetMAX FireWall, FireWall Suite, and FireWall ProSuite simplify Linux servers by installing a ready-to-configure firewall and router, along with the Linux operating system.

2. NetVigil
by Fidelia
Platforms: Linux, Solaris, Windows NT
http://www.fidelia.com/products/index.phtml Summary:

Fidelia NetVigil is a real-time integrated fault and performance management tool that provides end-to-end business visibility of your company's IT infrastructure. Fidelia NetVigil's unique architecture will scale with your organization and allow you to view and correlate data across your servers, applications and network devices. Fidelia NetVigil's instant configuration capabilities and multi-level views combine to expedite isolation and repair of IT problems, minimize downtime and reduce the cost of labor and implementation. This translates into savings for your bottom line.

3. P-Synch Total Password Management Solution by M-TECH
Platforms: AIX, DG-UX, HP-UX, IRIX, Linux, MVS, Netware, Solaris, SunOS, VMS, Windows NT
http://www.p-synch.com/
Summary:

P-Synch is a total password management solution. It is intended to reduce the cost of ownership of password systems, and simultaneously improve the security of password protected systems. This is done through: -Password Synchronization. -Enforcing an enterprise wide password strength policy. -Allowing authenticated users to reset their own forgotten passwords and enable their locked out accounts. -Streamlining help desk call resolution for password resets. P-Synch is available for both internal use, on the corporate Intranet, as well as for the Internet deployment in B2B and B2C applications.

V. NEW TOOLS FOR LINUX PLATFORMS

1. RSA implementation in Octave v0.01 by xilun Relevant URL: http://xilun666.free.fr/rsa.m Platforms: Os Independent Summary:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

RSA implementation in Octave is a short, dirty, and very slow implementation of the cryptographic primitives of the RSA public key algorithm, using GNU Octave. It includes functions to work on big numbers, modular exponentiation, modular inversion, probabilistic prime numbers generators, key pair generators, and functions to encrypt and decrypt files using a rather insecure scheme.

2. e2undel v0.81
by Oliver Diedrich e2undel@users.sourceforge.net Relevant URL:
http://e2undel.sourceforge.net
Platforms: Linux, POSIX
Summary:

e2undel is an interactive console tool that recovers the data of deleted files on an ext2 file system under Linux. A library that allows you to recover deleted files by name is included. e2undel does not manipulate any internal ext2 structures, and it does not require any additional tools. It should be useable without knowledge of the ext2 interna.

3. RSA encrypting tool v0.11
by Tomasz Pyra
Relevant URL:
http://sedez.iq.pl/~hellfire/rsa/
Platforms: Linux, POSIX
Summary:

This is a simple RSA algorithm implementation.

VI. SPONSOR INFORMATION

Strengthening Network Security: FREE Guide Network security is a constantly moving target - even proven solutions lose their punch over time. Find out how to get COMPLETE PROTECTION against ever-growing security threats with our FREE new Guide.

Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek